Jump to content

Recommended Posts

I have been working with forum members and MWB support  (most recently) to address seeming conflicts between MWB and the Windows 8.1 and 10 systems that I have.  When working with a forum member on 1 of the 8.1 machines, he had me use FRST to do analyses with the MWB Support tool and then run a script.  I was surprised to find out that FRST seems to be freeware.  I almost never load freeware as it is my belief that nothing is free and I'll pay a price somewhere along the line.  I assumed MWB had a license for FRST.   Everything went smoothly and the system seems stable on that machine. 

I then changed horses and started working with MWB support on my Surface Go.  The issue here was that when MWB was loaded, the system would occasionally wake up with the WIFI non-functional.  As expected,  I was instructed to run the Support Tool.  During the execution of FRST, OneDrive started popping up messages saying that Farbar was writing files to OneDrive.  Farbar makes FRST.   The popup listed the filenames which seemed to be related to brand names, for example, Budget Rent a Car.  I canceled the download, but let the Support Tool finish.

I found the file on my Desktop which is mapped to OneDrive by listing by most recent.  At the top was a file Unconfirmed 855007.crdownload.  I learned that this is Chrome compressed file.  I suspected that FRST was downloading adware to install into Edge.

When I mentioned this to MWB support agent, he dismissed my concern by saying the file was probably already there, and wanted to just get on with things.

I did not expect to be blown off.  I had expected him to ask me to upload the file so he could take a look at it. I informed him I would not proceed further until this unexplained download is explained.

I am less than impressed. My patience is wearing thin here.

Dan

 

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

FRST is not harmful at all. Some security programs falsely detect it and will stop or delete it. It will do the same for other tools as well.

NONE of the tools that we at Malwarebytes ask you to run are harmful.

 

8 minutes ago, Dan964 said:

I did not expect to be blown off.  I had expected him to ask me to upload the file so he could take a look at it. I informed him I would not proceed further until this unexplained download is explained.

I am less than impressed. My patience is wearing thin here.

Looking at the last post from Aug 3,  Maurice was waiting for a response from you.

 

Link to post
Share on other sites

Thanks for the reply, Porthos, but, claiming FRST is harmless does not explain what it was doing downloading these files. I would take a crack at unpacking the file, but that would involve downloading yet another piece of freeware.

I'll upload the file in case anyone cares to take a crack at it.

And the issue with Speccy was that Win 10 would not run it and I couldn't override its objections.  Which again reinforced my objections to using freeware.

 

Dan

Unconfirmed 855007.zip

Link to post
Share on other sites

3 minutes ago, Dan964 said:

but, claiming FRST is harmless does not explain what it was doing downloading these files.

FRST itself just creates logs for your helper to see what is on your computer and then can be configured to run a fixlist to run commands to fix/repair the computer.

It is used daily 1000's of times around the world on help forums. It was written and is constantly updated for that purpose.

Speccy on the other hand is harmless and gets system info, But recently since Avast purchased it with ccleaner Windows Defender has been flagging it as a PUA in some cases.

 

Link to post
Share on other sites

Remember that tools looking for 'nasties' will usually contain a list of the names of those 'nasties'.

Less sophistcated security software will see that list and throw it's hands up thinking the full thing might be there and not just it's name in a list.

Speccy has not been updated for a number of years now. Earlier this month Microsoft started to object to the Speccy installer because it contains an 'offer' of other software. MS does not object to Speccy itself merely that installer. (Many think this is heavy handed of MS who also offer other MS products when you install their software).

Link to post
Share on other sites

@Porthos thanks for hanging in there.  I understand that the file is temporary, which is why, I expect, I cant find it on my 8.1 machine. 

I still believe FRST downloading something called 'Budget Rent a Car' among others is suspicious.

I apologize for my hardheadedness, but I am not inclined to accept claims of safety when all my Spidey senses are tingling.  This looks to me as if Farbar was hacked and someone embedded payload delivery into FRST.

Dan

Link to post
Share on other sites

9 minutes ago, Dan964 said:

I still believe FRST downloading something called 'Budget Rent a Car' among others is suspicious.

I have never seen it do anything of the kind. Something else is going on there.

 

9 minutes ago, Dan964 said:

I apologize for my hardheadedness, but I am not inclined to accept claims of safety when all my Spidey senses are tingling.  This looks to me as if Farbar was hacked and someone embedded payload delivery into FRST.

I understand your concern.

I just ran it downloaded from the same link we give all users and it did not do anything unexpected. I did have to override Windows smart screen.

 

2020-08-26_13h04_27.png

2020-08-26_13h04_03.png

Edited by Porthos
Link to post
Share on other sites

Not all freeware comes at a price.  There is a long history of valuable, free tools developed strictly for the purpose of helping others.  Sysinternals (now owned by Microsoft, but previously independent and developing lots of freeware) are a great example.  They make tools such as Autoruns, Process Monitor and Process Explorer among others.  FRST was developed by a member of the malware help forums community for the purpose of aiding other helpers in finding and removing malware manually from systems and there are and for a very long time have been many other tools developed for a similar purpose (the likes of ComboFix, ATFCleaner, SDFix, VundoFix, Bughunter, HijackThis are similar examples).

While it may seem naive, some people actually do things that require real work, effort, and even money for no greater profit than knowing they are helping others.  It's the same reason Malwarebytes has always offered free scanning and removal of threats without any limits on how long it can be used or how many threats can be removed even though Malwarebytes is a company that works for a profit.

You can find out about Farbar with a quick web search: https://www.bleepingcomputer.com/download/publisher/farbar/

As for the strange files, I'm not sure unless perhaps it was reading some data from the browser's history or something similar (which might be as benign as being historical browser data from embedded ads in sites you've visited, though without the actual files or a log of the activity (such as from a tool like Process Monitor which shows all file reads/writes etc.), there isn't much to go on.  I do know that FRST, being one of the most frequently used tools in the community, is regularly scrutinized, analyzed and used by a very large number of knowledgeable malware removal specialists and most importantly, threat researchers, so if it were Trojanized/infected or maliciously modified somehow, we would certainly be hearing about it (there was recently a Trojanized build of Malwarebytes being distributed by an unknown source in Russia and the Ukraine which was discovered and reported on several websites, so I would expect that if anything like that happened to the legitimate download/source for FRST we'd see articles about it everywhere, just as we did when the CCleaner hack happened and it actually was used for distributing malware).

Edited by exile360
Link to post
Share on other sites

10 minutes ago, exile360 said:

for a very long time have been many other tools developed for a similar purpose (the likes of ComboFix, ATFCleaner, SDFix, VundoFix, Bughunter, HijackThis are similar examples).

Malwarebytes also started this way with a tool called Rouge Remover before Malwarebytes even became a program.

Link to post
Share on other sites

12 minutes ago, Porthos said:

Malwarebytes also started this way with a tool called Rouge Remover before Malwarebytes even became a program.

As I recall, RogueRemover used the same freemium model as Malwarebytes' Anti-Malware (now just Malwarebytes) with a licensed version offering real-time protection and such, though Marcin also developed at least one or two free malware removal tools before that which were more limited in scope as I recall (I believe he made one of the tools for removing one or several of the common search hijackers of the day, if I recall correctly).  RogueRemover was a cool tool; it just lacked the 'teeth' of DOR (Delete On Reboot; i.e. the Avenger driver/scripting engine developed by Doug Swanson) that made Malwarebytes' Anti-Malware one of the best anti-malware tools when it comes to threat remediation (a reputation it still has to this day thanks to its excellent design, active development and dedicated Researchers).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.